tsb.tetrate.io/v2
OrganizationSetting
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | tsb.tetrate.io/v2 | true |
kind | string | OrganizationSetting | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | Settings that apply globally to the entire organization. | false |
status | object | false |
OrganizationSetting.spec
Settings that apply globally to the entire organization.
Name | Type | Description | Required |
---|---|---|---|
defaultSecuritySetting | object | Security settings for all proxy workloads in this organization. | false |
defaultTrafficSetting | object | Traffic settings for all proxy workloads in this organization. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
fqn | string | Fully-qualified name of the resource. | false |
networkSettings | object | Reachability between clusters on various networks. | false |
regionalFailover | []object | Default locality routing settings for all gateways. | false |
OrganizationSetting.spec.defaultSecuritySetting
Security settings for all proxy workloads in this organization.
Name | Type | Description | Required |
---|---|---|---|
authentication | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
authenticationSettings | object | false | |
authorization | object | false | |
configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
extension | []object | false | |
fqn | string | Fully-qualified name of the resource. | false |
propagationStrategy | enum | Enum: REPLACE, STRICTER | false |
waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings
Name | Type | Description | Required |
---|---|---|---|
http | object | false | |
trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http
Name | Type | Description | Required |
---|---|---|---|
jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
oidc | object | false | |
rules | object | List of rules how to authenticate an HTTP request. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
Name | Type | Description | Required |
---|---|---|---|
audiences | []string | false | |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
issuer | string | Identifies the issuer that issued the JWT. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | false | |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | false |
prefix | string | The prefix that should be stripped before decoding the token. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | false |
header | string | The name of the header to be created. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc
Name | Type | Description | Required |
---|---|---|---|
authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
clientId | string | The client_id to be used in the authorize calls. | false |
clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | false |
grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
provider | object | The OIDC Provider configuration. | false |
redirectPathMatcher | string | false | |
redirectUri | string | false | |
signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
Name | Type | Description | Required |
---|---|---|---|
authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
issuer | string | The OIDC Provider's issuer identifier. | false |
jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
Name | Type | Description | Required |
---|---|---|---|
jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index]
Name | Type | Description | Required |
---|---|---|---|
audiences | []string | false | |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
issuer | string | Identifies the issuer that issued the JWT. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | false | |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | false |
prefix | string | The prefix that should be stripped before decoding the token. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | false |
header | string | The name of the header to be created. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization
Name | Type | Description | Required |
---|---|---|---|
http | object | This is for configuring HTTP request authorization. | false |
mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
rules | object | false | |
serviceAccounts | []string | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http
This is for configuring HTTP request authorization.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
tls | object | false | |
uri | string | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |